How to perform logging for both MSAL.Net and Microsoft Graph SDK

Microsoft Graph SDK has the ability to log out complete HTTP Requests and Reponses as documented here. The way this logging mechanism works is by implementing a custom HttpClient Message handler to intercept every HTTP Request and Response between the client application and the Microsoft Graph Service. Besides hooking into GraphServiceClient’s processing pipeline to do request and response tracing, one can also configure proxy info. See Customize the Microsoft Graph…

Read More

Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory

In this blog post, I will demonstrate a simple Azure AD-protected Web API sample using Spring Boot Starter for Azure Active Directory. If you are not familiar with Spring Boot Starter for Azure Active Directory, please take a look at azure-sdk-for-java/sdk/spring/azure-spring-boot-starter-active-directory at main ยท Azure/azure-sdk-for-java (github.com) and the Azure AD Spring Developer’s Guide. Requirement: You must have a Web API Application registered in Azure Active Directory and expose its permission…

Read More

Script errors running MSAL.Net in XBAP application

You may encounter script errors with the background text saying cookies are disabled when running MSAL code snippet similar to the following in a XAML Browser Application (XBAP) from Internet Explorer when performing Azure AD login Root Cause XBAP Applications, although housed in Internet Explorer, runs in its own process space: PresentationHost.exe, which is a very tightly-controlled security container. XBAP Application uses the webBrowser control to host the Azure AD…

Read More

AADSTS50000: There was an error issuing a token or an issue with our sign-in service

This error can occur during Azure AD authentication process or during any token acquisition flow using the token endpoint. There are multiple causes for this error to happen. Below are a few scenarios that can lead to the error . Root Cause 1: the user password is either expired, invalid, or out of sync This can happen more predominantly in a hybrid environment. The authenticated federated account’s password may be…

Read More

Using MSAL.js v2 in a SPA App to call a web API protected by Azure App Service’s Easy Auth with Azure AD

There are a couple of ways to call an Easy Auth enabled web API. You can either call the web API with: an Easy Auth session cookie (via a previously authenticated browser session to the web API) or An Azure AD Bearer JWT token In this post I will show you how to use MSAL.JS v2 in a Single Page Application (SPA) to get an access token for the web…

Read More

Getting Azure Key Vault secret with Azure.Identity and Azure.Security.KeyVault

In my last post, I talked about using ADAL (now deprecated) with the KeyVaultClient class to get an access token using OAuth2 Client Credentials Grant flow and query Azure Key Vault with that access token. In this post, I’ll talk about using a couple of new classes in the Azure SDK for .NET library to accomplish the same goal. We will use Azure.Identity name space for our Azure AD token…

Read More

Some tips and tricks with Fiddler capture

Recently, I came across a couple of scenarios where I could not get Fiddler to capture SSL traffic easily. Below are the some tips and tricks that may help in these situations. Scenario 1: Capture Node.js web traffic in Fiddler In the same command window where you run npm start to start the node server, run the below set commands first to set the proxy info before running npm start.…

Read More

Using OpenID Connect OWIN middleware to validate an Azure AD JWT token signed with a symmetric key

Azure AD by default uses a certificate to sign an OAuth2 JWT token using an asymmetric algorithm (RS256). Alternatively a JWT token can be signed with a “shared” secret using a symmetric algorithm (HS256). Asymmetric signing algorithm is always more secure in preventing the token to be tampered with compared to a symmetric algorithm since the private key is always kept at the Identity Provider (IDP) and the token consumer…

Read More

What’s the security implication of changing the default client type from confidential to public in Azure AD?

From time to time, I get asked this question by a few different customers especially when they encounter the error “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’” when authenticating to Azure AD. The error is related to the following Default client type setting in the Authentication blade of a registered application: By default the setting is set to No (confidential client). Changing to ‘Yes’ converts…

Read More